1 of 1 people found this helpful
Because there is no security/permission that control which variables users can create, modify or delete, I recommend the following:
1. All user variables (Local, Smart Folder or Pool) have to start with the application code.
e.g. If the jobs are for the application Murex and it's code in Control-M is MRX so any variables in jobs for Murex have to start with %%MRX_*
2. Global Variables will have GLB_<APP CODE_* (e.g. GLB_MRX_*)
3. Then I have audit reports that run daily and report on jobs that have been created with variables that don't meet this standard. (this has to be a sql script you write, as far as I know there is no out of the box report that can do this check)
If you have Workload Change Manager, so at least in v19, variables can be managed through site-standards and then you can enforce a naming standard without having to run audit reports.
In addition to prevention, what do you think about creating a cyclic job that issues the ctmvar -ACTION DELETE -VAR command for each system variable?
ctmvar -ACTION DELETE -VAR %%\\DATE
ctmvar -ACTION DELETE -VAR %%\\NEXT
We have workload change manager and will define the standard on all variables.
2 of 2 people found this helpful
Using ctmvar to delete global variables that have the same name as system variables should be fine.
I don't see any problem with doing that. (but I still suggest some testing before you do this in PROD)
It is not a perfect fix, but you could always consider controlling the utilities that particular Agents can execute via updating the AGPERMIT_UTILS file on the Control-M Server.